You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by Trustin Lee <tr...@gmail.com> on 2007/07/12 05:06:07 UTC
BlacklistFilter and ConnectionThrottleFilter
Hi community,
We could merge BlacklistFilter and ConnectionThrottleFilter somehow?
Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/
--
PGP Key ID: 0x0255ECA6
Re: BlacklistFilter and ConnectionThrottleFilter
Posted by Maarten Bosteels <mb...@gmail.com>.
On 7/27/07, Mark Webb <el...@gmail.com> wrote:
>
> you are correct. There is no difference between listening on port 80
> versus
> listening on any other port. I was just providing the example of a web
> server. Any program could be listening on any port, if the firewall
> allows
> a certain port to be allowed in order to connect to the server based
> application inside the firewall, that application could be subjected to a
> Denial-Of-Service attack if the ConnectionThrottleFilter were not in
> place.
>
> As for the Blacklist filter, this is more like what a traditional firewall
> would provide. You could specify hosts A and B can connect to your
> server,
> but not any other hosts. The advantage over most firewalls is that the
> BlackListFilter can have its list updated without requiring a restart of
> the
> application.
Marc,
This can also be done with MINA.
In fact, we have implemented an MINA AccessFilter that reads its
allowed/disallowed addresses
from a database and users can request that the filter re-reads the list at
runtime.
Maarten
On 7/26/07, mat <fo...@gmail.com> wrote:
> >
> > What's the difference between listening on port 80 or other port? Can
> you
> > explain more on this one? Thanks.
> >
> >
> > On 7/21/07, Mark Webb <el...@gmail.com> wrote:
> > >
> > > What about a scenario where port 80 is open on the firewall, and a
> > > malicious
> > > person is attempting a DDoS on the server listening on port 80?
> > >
> > > I do not think all (maybe not any) firewalls can protect against that.
> > >
> > >
> > > On 7/20/07, mat <fo...@gmail.com> wrote:
> > > >
> > > > Now I wonder whether ConnectionThrottleFilter could be done in most
> > > > Firewall?
> > > >
> > > > On 7/13/07, Mark <el...@gmail.com> wrote:
> > > > >
> > > > > I like that idea. I also agree with Mat and a firewall *should*
> > > handle
> > > > > the
> > > > > blacklisting, but defense-in-depth is something I strongly believe
> > in.
> > > > >
> > > > > On 7/11/07, Trustin Lee <tr...@gmail.com> wrote:
> > > > > >
> > > > > > On 7/12/07, Mark <el...@gmail.com> wrote:
> > > > > > > Not sure I agree.
> > > > > > >
> > > > > > > Blacklisting a host is analogous to a firewall operation in
> that
> > > the
> > > > > > > administrator of a MINA-based application would determine
> which
> > > > hosts
> > > > > > can
> > > > > > > connect to the application. The ConnectionThrottleFilter is
> > > > designed
> > > > > to
> > > > > > > block host connections when they try and connect to quickly,
> > like
> > > in
> > > > > the
> > > > > > > case of a denial-of-service attack.
> > > > > > >
> > > > > > > I could understand combining code via a shared parent
> > > class. There
> > > > > was
> > > > > > talk
> > > > > > > of even extending the ConnectionThrottleFilter further by
> > keeping
> > > a
> > > > > host
> > > > > > in
> > > > > > > the 'block' list for a configurable amount of time.
> > > > > >
> > > > > > I think what differs is a policy. If the policy is
> pre-programmed
> > > or
> > > > > > permanant, it's what BlacklistFilter does. Otherwise, it's what
> > > > > > ConnectionThrottlefilter is supposed do. Probably we could
> create
> > > > > > some generic filter that user can specify a certain policy. For
> > > > > > example:
> > > > > >
> > > > > > ConnectionThrottlePolicy p = ...;
> > > > > > ConnectionThrottleFilter f = new ConnectionThrottleFilter(p);
> > > > > >
> > > > > > Trustin
> > > > > > --
> > > > > > what we call human nature is actually human habit
> > > > > > --
> > > > > > http://gleamynode.net/
> > > > > > --
> > > > > > PGP Key ID: 0x0255ECA6
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > ..Cheers
> > > > > Mark
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > ..Cheers
> > > Mark
> > >
> >
>
>
>
> --
> ..Cheers
> Mark
>
Re: BlacklistFilter and ConnectionThrottleFilter
Posted by Mark Webb <el...@gmail.com>.
you are correct. There is no difference between listening on port 80 versus
listening on any other port. I was just providing the example of a web
server. Any program could be listening on any port, if the firewall allows
a certain port to be allowed in order to connect to the server based
application inside the firewall, that application could be subjected to a
Denial-Of-Service attack if the ConnectionThrottleFilter were not in place.
As for the Blacklist filter, this is more like what a traditional firewall
would provide. You could specify hosts A and B can connect to your server,
but not any other hosts. The advantage over most firewalls is that the
BlackListFilter can have its list updated without requiring a restart of the
application.
On 7/26/07, mat <fo...@gmail.com> wrote:
>
> What's the difference between listening on port 80 or other port? Can you
> explain more on this one? Thanks.
>
>
> On 7/21/07, Mark Webb <el...@gmail.com> wrote:
> >
> > What about a scenario where port 80 is open on the firewall, and a
> > malicious
> > person is attempting a DDoS on the server listening on port 80?
> >
> > I do not think all (maybe not any) firewalls can protect against that.
> >
> >
> > On 7/20/07, mat <fo...@gmail.com> wrote:
> > >
> > > Now I wonder whether ConnectionThrottleFilter could be done in most
> > > Firewall?
> > >
> > > On 7/13/07, Mark <el...@gmail.com> wrote:
> > > >
> > > > I like that idea. I also agree with Mat and a firewall *should*
> > handle
> > > > the
> > > > blacklisting, but defense-in-depth is something I strongly believe
> in.
> > > >
> > > > On 7/11/07, Trustin Lee <tr...@gmail.com> wrote:
> > > > >
> > > > > On 7/12/07, Mark <el...@gmail.com> wrote:
> > > > > > Not sure I agree.
> > > > > >
> > > > > > Blacklisting a host is analogous to a firewall operation in that
> > the
> > > > > > administrator of a MINA-based application would determine which
> > > hosts
> > > > > can
> > > > > > connect to the application. The ConnectionThrottleFilter is
> > > designed
> > > > to
> > > > > > block host connections when they try and connect to quickly,
> like
> > in
> > > > the
> > > > > > case of a denial-of-service attack.
> > > > > >
> > > > > > I could understand combining code via a shared parent
> > class. There
> > > > was
> > > > > talk
> > > > > > of even extending the ConnectionThrottleFilter further by
> keeping
> > a
> > > > host
> > > > > in
> > > > > > the 'block' list for a configurable amount of time.
> > > > >
> > > > > I think what differs is a policy. If the policy is pre-programmed
> > or
> > > > > permanant, it's what BlacklistFilter does. Otherwise, it's what
> > > > > ConnectionThrottlefilter is supposed do. Probably we could create
> > > > > some generic filter that user can specify a certain policy. For
> > > > > example:
> > > > >
> > > > > ConnectionThrottlePolicy p = ...;
> > > > > ConnectionThrottleFilter f = new ConnectionThrottleFilter(p);
> > > > >
> > > > > Trustin
> > > > > --
> > > > > what we call human nature is actually human habit
> > > > > --
> > > > > http://gleamynode.net/
> > > > > --
> > > > > PGP Key ID: 0x0255ECA6
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > ..Cheers
> > > > Mark
> > > >
> > >
> >
> >
> >
> > --
> > ..Cheers
> > Mark
> >
>
--
..Cheers
Mark
Re: BlacklistFilter and ConnectionThrottleFilter
Posted by mat <fo...@gmail.com>.
What's the difference between listening on port 80 or other port? Can you
explain more on this one? Thanks.
On 7/21/07, Mark Webb <el...@gmail.com> wrote:
>
> What about a scenario where port 80 is open on the firewall, and a
> malicious
> person is attempting a DDoS on the server listening on port 80?
>
> I do not think all (maybe not any) firewalls can protect against that.
>
>
> On 7/20/07, mat <fo...@gmail.com> wrote:
> >
> > Now I wonder whether ConnectionThrottleFilter could be done in most
> > Firewall?
> >
> > On 7/13/07, Mark <el...@gmail.com> wrote:
> > >
> > > I like that idea. I also agree with Mat and a firewall *should*
> handle
> > > the
> > > blacklisting, but defense-in-depth is something I strongly believe in.
> > >
> > > On 7/11/07, Trustin Lee <tr...@gmail.com> wrote:
> > > >
> > > > On 7/12/07, Mark <el...@gmail.com> wrote:
> > > > > Not sure I agree.
> > > > >
> > > > > Blacklisting a host is analogous to a firewall operation in that
> the
> > > > > administrator of a MINA-based application would determine which
> > hosts
> > > > can
> > > > > connect to the application. The ConnectionThrottleFilter is
> > designed
> > > to
> > > > > block host connections when they try and connect to quickly, like
> in
> > > the
> > > > > case of a denial-of-service attack.
> > > > >
> > > > > I could understand combining code via a shared parent
> class. There
> > > was
> > > > talk
> > > > > of even extending the ConnectionThrottleFilter further by keeping
> a
> > > host
> > > > in
> > > > > the 'block' list for a configurable amount of time.
> > > >
> > > > I think what differs is a policy. If the policy is pre-programmed
> or
> > > > permanant, it's what BlacklistFilter does. Otherwise, it's what
> > > > ConnectionThrottlefilter is supposed do. Probably we could create
> > > > some generic filter that user can specify a certain policy. For
> > > > example:
> > > >
> > > > ConnectionThrottlePolicy p = ...;
> > > > ConnectionThrottleFilter f = new ConnectionThrottleFilter(p);
> > > >
> > > > Trustin
> > > > --
> > > > what we call human nature is actually human habit
> > > > --
> > > > http://gleamynode.net/
> > > > --
> > > > PGP Key ID: 0x0255ECA6
> > > >
> > >
> > >
> > >
> > > --
> > > ..Cheers
> > > Mark
> > >
> >
>
>
>
> --
> ..Cheers
> Mark
>
Re: BlacklistFilter and ConnectionThrottleFilter
Posted by Mark Webb <el...@gmail.com>.
What about a scenario where port 80 is open on the firewall, and a malicious
person is attempting a DDoS on the server listening on port 80?
I do not think all (maybe not any) firewalls can protect against that.
On 7/20/07, mat <fo...@gmail.com> wrote:
>
> Now I wonder whether ConnectionThrottleFilter could be done in most
> Firewall?
>
> On 7/13/07, Mark <el...@gmail.com> wrote:
> >
> > I like that idea. I also agree with Mat and a firewall *should* handle
> > the
> > blacklisting, but defense-in-depth is something I strongly believe in.
> >
> > On 7/11/07, Trustin Lee <tr...@gmail.com> wrote:
> > >
> > > On 7/12/07, Mark <el...@gmail.com> wrote:
> > > > Not sure I agree.
> > > >
> > > > Blacklisting a host is analogous to a firewall operation in that the
> > > > administrator of a MINA-based application would determine which
> hosts
> > > can
> > > > connect to the application. The ConnectionThrottleFilter is
> designed
> > to
> > > > block host connections when they try and connect to quickly, like in
> > the
> > > > case of a denial-of-service attack.
> > > >
> > > > I could understand combining code via a shared parent class. There
> > was
> > > talk
> > > > of even extending the ConnectionThrottleFilter further by keeping a
> > host
> > > in
> > > > the 'block' list for a configurable amount of time.
> > >
> > > I think what differs is a policy. If the policy is pre-programmed or
> > > permanant, it's what BlacklistFilter does. Otherwise, it's what
> > > ConnectionThrottlefilter is supposed do. Probably we could create
> > > some generic filter that user can specify a certain policy. For
> > > example:
> > >
> > > ConnectionThrottlePolicy p = ...;
> > > ConnectionThrottleFilter f = new ConnectionThrottleFilter(p);
> > >
> > > Trustin
> > > --
> > > what we call human nature is actually human habit
> > > --
> > > http://gleamynode.net/
> > > --
> > > PGP Key ID: 0x0255ECA6
> > >
> >
> >
> >
> > --
> > ..Cheers
> > Mark
> >
>
--
..Cheers
Mark
Re: BlacklistFilter and ConnectionThrottleFilter
Posted by mat <fo...@gmail.com>.
Now I wonder whether ConnectionThrottleFilter could be done in most
Firewall?
On 7/13/07, Mark <el...@gmail.com> wrote:
>
> I like that idea. I also agree with Mat and a firewall *should* handle
> the
> blacklisting, but defense-in-depth is something I strongly believe in.
>
> On 7/11/07, Trustin Lee <tr...@gmail.com> wrote:
> >
> > On 7/12/07, Mark <el...@gmail.com> wrote:
> > > Not sure I agree.
> > >
> > > Blacklisting a host is analogous to a firewall operation in that the
> > > administrator of a MINA-based application would determine which hosts
> > can
> > > connect to the application. The ConnectionThrottleFilter is designed
> to
> > > block host connections when they try and connect to quickly, like in
> the
> > > case of a denial-of-service attack.
> > >
> > > I could understand combining code via a shared parent class. There
> was
> > talk
> > > of even extending the ConnectionThrottleFilter further by keeping a
> host
> > in
> > > the 'block' list for a configurable amount of time.
> >
> > I think what differs is a policy. If the policy is pre-programmed or
> > permanant, it's what BlacklistFilter does. Otherwise, it's what
> > ConnectionThrottlefilter is supposed do. Probably we could create
> > some generic filter that user can specify a certain policy. For
> > example:
> >
> > ConnectionThrottlePolicy p = ...;
> > ConnectionThrottleFilter f = new ConnectionThrottleFilter(p);
> >
> > Trustin
> > --
> > what we call human nature is actually human habit
> > --
> > http://gleamynode.net/
> > --
> > PGP Key ID: 0x0255ECA6
> >
>
>
>
> --
> ..Cheers
> Mark
>
Re: BlacklistFilter and ConnectionThrottleFilter
Posted by Mark <el...@gmail.com>.
I like that idea. I also agree with Mat and a firewall *should* handle the
blacklisting, but defense-in-depth is something I strongly believe in.
On 7/11/07, Trustin Lee <tr...@gmail.com> wrote:
>
> On 7/12/07, Mark <el...@gmail.com> wrote:
> > Not sure I agree.
> >
> > Blacklisting a host is analogous to a firewall operation in that the
> > administrator of a MINA-based application would determine which hosts
> can
> > connect to the application. The ConnectionThrottleFilter is designed to
> > block host connections when they try and connect to quickly, like in the
> > case of a denial-of-service attack.
> >
> > I could understand combining code via a shared parent class. There was
> talk
> > of even extending the ConnectionThrottleFilter further by keeping a host
> in
> > the 'block' list for a configurable amount of time.
>
> I think what differs is a policy. If the policy is pre-programmed or
> permanant, it's what BlacklistFilter does. Otherwise, it's what
> ConnectionThrottlefilter is supposed do. Probably we could create
> some generic filter that user can specify a certain policy. For
> example:
>
> ConnectionThrottlePolicy p = ...;
> ConnectionThrottleFilter f = new ConnectionThrottleFilter(p);
>
> Trustin
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
> --
> PGP Key ID: 0x0255ECA6
>
--
..Cheers
Mark
Re: BlacklistFilter and ConnectionThrottleFilter
Posted by mat <fo...@gmail.com>.
My opinion is should we leave the blacklist job to firewall?
On 7/12/07, Trustin Lee <tr...@gmail.com> wrote:
>
> On 7/12/07, Mark <el...@gmail.com> wrote:
> > Not sure I agree.
> >
> > Blacklisting a host is analogous to a firewall operation in that the
> > administrator of a MINA-based application would determine which hosts
> can
> > connect to the application. The ConnectionThrottleFilter is designed to
> > block host connections when they try and connect to quickly, like in the
> > case of a denial-of-service attack.
> >
> > I could understand combining code via a shared parent class. There was
> talk
> > of even extending the ConnectionThrottleFilter further by keeping a host
> in
> > the 'block' list for a configurable amount of time.
>
> I think what differs is a policy. If the policy is pre-programmed or
> permanant, it's what BlacklistFilter does. Otherwise, it's what
> ConnectionThrottlefilter is supposed do. Probably we could create
> some generic filter that user can specify a certain policy. For
> example:
>
> ConnectionThrottlePolicy p = ...;
> ConnectionThrottleFilter f = new ConnectionThrottleFilter(p);
>
> Trustin
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
> --
> PGP Key ID: 0x0255ECA6
>
Re: BlacklistFilter and ConnectionThrottleFilter
Posted by Trustin Lee <tr...@gmail.com>.
On 7/12/07, Mark <el...@gmail.com> wrote:
> Not sure I agree.
>
> Blacklisting a host is analogous to a firewall operation in that the
> administrator of a MINA-based application would determine which hosts can
> connect to the application. The ConnectionThrottleFilter is designed to
> block host connections when they try and connect to quickly, like in the
> case of a denial-of-service attack.
>
> I could understand combining code via a shared parent class. There was talk
> of even extending the ConnectionThrottleFilter further by keeping a host in
> the 'block' list for a configurable amount of time.
I think what differs is a policy. If the policy is pre-programmed or
permanant, it's what BlacklistFilter does. Otherwise, it's what
ConnectionThrottlefilter is supposed do. Probably we could create
some generic filter that user can specify a certain policy. For
example:
ConnectionThrottlePolicy p = ...;
ConnectionThrottleFilter f = new ConnectionThrottleFilter(p);
Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/
--
PGP Key ID: 0x0255ECA6
Re: BlacklistFilter and ConnectionThrottleFilter
Posted by Mark <el...@gmail.com>.
Not sure I agree.
Blacklisting a host is analogous to a firewall operation in that the
administrator of a MINA-based application would determine which hosts can
connect to the application. The ConnectionThrottleFilter is designed to
block host connections when they try and connect to quickly, like in the
case of a denial-of-service attack.
I could understand combining code via a shared parent class. There was talk
of even extending the ConnectionThrottleFilter further by keeping a host in
the 'block' list for a configurable amount of time.
WDYT?
On 7/11/07, Trustin Lee <tr...@gmail.com> wrote:
>
> Hi community,
>
> We could merge BlacklistFilter and ConnectionThrottleFilter somehow?
>
> Trustin
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
> --
> PGP Key ID: 0x0255ECA6
>
--
..Cheers
Mark